BinaryBuilder.jl VS spack

There are some efforts and the startup times are getting better with every release and there's BinaryBuilder.jl.

There is the Julia package https://github.com/JuliaPackaging/BinaryBuilder.jl which creates an environment that fakes being another, but with the correct compilers and SDKs . It's used to build all the binary dependencies

https://binarybuilder.org/. You can do it manually obviously, but this is easier.

> The main pain point is probably the lack of standard, multi-environment packaging solutions for natively compiled code.

Are you talking about something like BinaryBuilder.jl[1], which provides native binaries as julia-callable wrappers?

--

[1] https://binarybuilder.org

Julia did that for binary dependencies for a few years, with adapters for several linux platforms, homebrew, and for cross-compiled RPMs for Windows. It worked, to a degree -- less well on Windows -- but the combinatorial complexity led to many hiccups and significant maintenance effort. Each Julia package had to account for the peculiarities of each dependency across a range of dependency versions and packaging practices (linkage policies, bundling policies, naming variations, distro versions) -- and this is easier in Julia than in (C)Python because shared libraries are accessed via locally-JIT'd FFI, so there is no need to eg compile extensions for 4 different CPython ABIs (Julia also has syntactic macros which can be helpful here).

To provide a better experience for both package authors and users, as well as reducing the maintenance burden, the community has developed and migrated to a unified system called BinaryBuilder (https://binarybuilder.org) over the past 2-3 years. BinaryBuilder allows targeting all supported platforms with a single build script and also "audits" build products for common compatibility and linkage snafus (similar to some of the conda-build tooling and auditwheel). There was a nice talk at AlpineConf recently (https://alpinelinux.org/conf/) covering some of this history and detailing BinaryBuilder, although I'm not sure how to link into the video.

All that to say: it can work to an extent, but it has been tried various times before. The fact that conda and manylinux don't use system packages was not borne out of inexperience, either. The idea of "make binaries a distro packager's problem" sounds like a simplifying step, but that doesn't necessarily work out.

> Are we talking about the same autotools?

Yes. Instead of figuring out how to do something particular with every single software package, I can do a --with-foo or --without-bar or --prefix=/opt/baz-1.2.3, and be fairly confident that it will work the way I want.

Certainly with package managers or (FreeBSD) Ports a lot is taken care of behind the scenes, but the above would also help the package/port maintainers as well. Lately I've been using Spack for special-needs compiles, but maintainer ease also helps there, but there are still cases one a 'fully manual' compile is still done.

> Suffice it to say, I prefer to work with handwritten makefiles.

Having everyone 'roll their own' system would probably be worse, because any "mysteriously failure" then has to be debugged specially for each project.

Have you tried Spack?

* https://spack.io

* https://spack.readthedocs.io/en/latest/

Well, good luck with that, cause it's broken.

Previous release miscompiled Python [1]

Current release miscompiles bison [2]

[1] https://github.com/spack/spack/issues/38724

[2] https://github.com/spack/spack/issues/37172#issuecomment-181...

gh is available via Homebrew, MacPorts, Conda, Spack, Webi, and as a…

> I can't count the number of times I've seen people say "md5 is fine for use case xyz" where in some counterintuitive way it wasn't fine.

I can count many more times that people told me that md5 was "broken" for file verification when, in fact, it never has been.

My main gripe with the article is that it portrays the entire legal profession as "backwards" and "deeply negligent" when they're not actually doing anything unsafe -- or even likely to be unsafe. And "tech" knows better. Much of tech, it would seem, has no idea about the use cases and why one might be safe or not. They just know something's "broken" -- so, clearly, we should update.

> Just use a safe one, even if you think you "don't need it".

Here's me switching 5,700 or so hashes from md5 to sha256 in 2019: https://github.com/spack/spack/pull/13185

Did I need it? No. Am I "compliant"? Yes.

Really, though, the main tangible benefit was that it saved me having to respond to questions and uninformed criticism from people unnecessarily worried about md5 checksums.

[1] https://github.com/spack/spack/blob/develop/var/spack/repos/...

In Spack [1] we can express all these constraints for the dependency solver, and we also try to always re-cythonize sources. The latter is because bundled cythonized files are sometimes forward incompatible with Python, so it's better to just regenerate those with an up to date cython.

[1] https://github.com/spack/spack/

You want to look at the tools used for HPC systems, these are generally very well tried and tested and can be setup for single machine usage. Remote access - we use ssh, but web interfaces such as Open On Demand exist - https://openondemand.org/. For managing Jobs, Slurm is currently the most popular option - https://slurm.schedmd.com/documentation.html. For a module system (to load software and libraries per user), Spack is a great - https://spack.io/. You might also want to consider containerisation options, https://apptainer.org/ is a good option.

git clone https://github.com/spack/spack.git ./spack/bin/spack install gcc